logotype

ISO 27001:2013 To ISO 27001:2022 Transition

The ISO/IEC 27001 information security management system standard provides businesses with a framework for managing risks and protecting against threats to secure information assets ranging from financial information and intellectual property to employee information and more.

Today, information security is at the forefront of practically every company’s priority list.
The urgency of new scenarios is changing. Companies are being compelled to reassess their context, primary risks and threats, and relevant stakeholders in an organised and trustworthy manner due to rising adoption of Cloud and automation technologies, cybersecurity, privacy, malware, and ransomware.

The revised ISO/IEC 27001:2022

The new ISO/IEC 27001:2022 edition tackles the new scenarios that companies must deal with. Most of the changes are in Annex A,, which had been anticipated by the publication of ISO/IEC 27002, where safety regulations have been added, eliminated, or merged. The modifications include advancements to cyber security and privacy, including a refresh of the control language and the addition of new recommendations. This enables businesses to monitor risks, ensure that nothing is overlooked, and properly follow-up.

The last version was released in 2013. Inevitably, the security control modifications are substantial, with 11 new, 58 revised, and 24 combined.

The following altering scenarios are being addressed in particular:
Introduction of modern technology such as cloud computing and automation.
Recent growth in the acceptance of such technology.
Recognising security and privacy threats.
Considering the shifting threat landscape, such as new varieties of malware and ransomware.
Aligning with other best practises, such as NIST, COBIT, and so on.
Refreshing the control language and providing more guidance.

The adjustments have the greatest influence on the following areas:

  • Leadership
  • Corporate Security
  • Information Technology
  • Other support functions
  • Delivery (for all service providers)

Organisations must re-evaluate their risk assessments and re-establish their safety protocol to be compliant. In addition to the control adjustments, the 2022 edition has been re-aligned with the most recent updates to ISO’s High-Level Structure (HLS). These modifications are based on the most recent version of Anex SL of ISO/IEC directives Part 1 (2022). These changes, however, are deemed minimal because the 2013 edition was one of the first standards to integrate the HLS.

Timeline for Transition

On October 25, 2022, the updated edition of ISO/IEC 27001 was issued. The changeover period will last three years. Current 2013 – Certificates must therefore be converted to the new version before November 2025. The transition audit can be undertaken as part of any planned audit during the 3-year transition period or as a specific transition audit.

Preparing for implementation
We propose that you begin preparing for the shift as soon as possible and plan thoroughly to include necessary changes into your management system.

Steps to take during the transition:
  • Learn about the standard’s contents and requirements.
  • Pay attention to the modifications implied by the updated standard.
  • Ensure that all relevant individuals in your organisations have received training and are aware of the requirements and major developments.
  • Identify the gaps that must be filled to fulfil the new standards and develop an implementation strategy.
  • To fulfil the new criteria, take actions and update your management system
How RNR can help

RNR can help you with your information security management system certification and transition, whether you are already certified to ISO/IEC 27001 or are new to the standard. As a world – leading certification organization we work with small and large businesses all over the world to meet their IT & cyber security and privacy demands.

If you are preparing to upgrade from version 2013 to version 2022, we can help you with the following services:

  • Gap analysis: we will conduct a gap analysis to identify the differences between your current ISMS and the requirements of ISO 27001:2022. This will help us to prioritize the changes that need to be made to your ISMS.
  • Transition plan: we will develop a transition plan that outlines the steps that need to be taken to transition to ISO 27001:2022. This plan will include a timeline, budget, and resources.
  • Implementation: We will work with you to implement the changes to your ISMS. This includes training your staff, developing new documentation, and testing your controls.
  • Preparation for certification audit: We will help you to prepare for your certification audit by reviewing your documentation and providing training to your staff.
Benefits

Transitioning to ISO 27001:2022 can provide your organization with several benefits, including:

  • Increased confidence in your information security
  • Reduced risk of data breaches and other incidents
  • Improved compliance with regulations
  • Increased customer trust
  • Enhanced brand reputation

RNR is here to help you at every step of the way.

Are you considering ISO/IEC 27001 certification for the first time? Please see our information security management system service page for additional information on its features, benefits, and certification path.

To learn more about our consulting services or to schedule a consultation, please feel free to contact us.

    Service Request Form

    Select Service(s) You Want:

    Information & cyber security program strategy & roadmapEnterprise & cyber security risk assessment & managementThird party risk managementVirtual CISO serviceCyber security awareness programPhishing simulation programThreat modelingUser access governance & certificationIncident management and response planISO 27001/22301/27701/9001RBI master directionNHB cyber security guidelinesIRDAI cyber security guidelinesNIST FrameworkSOC1/SOC2Data localization as per RBI circular of storage of payment system dataCIS frameworkInternal audit managementCloud assessment as per CISDesigning cloud security architectureCSPM security monitoringGap assessment as per applicable guidelinesNetwork architecture reviewFirewall rule reviewFirewall configuration reviewSystem hardening checksVulnerability assessment program managementWeb application penetration testingMobile application penetration testingInfrastructure vulnerability assessmentAPI vulnerability assessmentAPI fuzzingRed teaming ExerciseData protection advisoryData flow diagramDigital personal data protection acData protection controls implementationData discovery and classificationDesigning of data protection policyData governance programDigital personal data protection acGap assessmentArticulation of policy and proceduresISO 27001/22301/27701/9001, PCI-DSS, SOC1/SOC2, COBIT, COSO, HIPPA, RBI, IRDAI, NIST, Data Localization, CISGRC tool implementationArticulation of BCP plan and strategyCrisis management planBCP/DR planning and implementationImplementation of BCMS standard (ISO 22301)Conducting actual and tabletop DR drillsFunctional recovery planGRC resource deployment onsite/offsiteSecurity services resource deployment onsite/offsite

    Contact Details:

    Name (required):

    Organization Name (required):

    Email (required):

    Contact No (required):

    Detail about the requirement (optional):